Merge branch 'main' into feature/CCM-11067_Add_Internal_Workflows

Author: aidenvaines-cgi

.github/actions/check-todo-usage/action.yaml

@@ -0,0 +1,10 @@
+name: "Check Todo usage"
+description: "Check Todo usage"
+runs:
+  using: "composite"
+  steps:
+    - name: "Check Todo usage"
+      shell: bash
+      run: |
+        export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
+        check=branch ./scripts/githooks/check-todos.sh

.github/workflows/cicd-3-deploy.yaml

@@ -48,7 +48,6 @@ jobs:
           echo "nodejs_version=$(grep "^nodejs\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "python_version=$(grep "^python\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
           echo "terraform_version=$(grep "^terraform\s" .tool-versions | cut -f2 -d' ')" >> $GITHUB_OUTPUT
-          # TODO: Get the version, but it may not be the .version file as this should come from the CI/CD Pull Request Workflow
           echo "version=$(head -n 1 .version 2> /dev/null || echo unknown)" >> $GITHUB_OUTPUT
           # echo "tag=${{ github.event.inputs.tag }}" >> $GITHUB_OUTPUT
       - name: "List variables"

.github/workflows/stage-1-commit.yaml

@@ -101,6 +101,17 @@ jobs:
           fetch-depth: 0 # Full history is needed to compare branches
       - name: "Check English usage"
         uses: ./.github/actions/check-english-usage
+  check-todo-usage:
+    name: "Check TODO usage"
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Full history is needed to compare branches
+      - name: "Check TODO usage"
+        uses: ./.github/actions/check-todo-usage
   detect-terraform-changes:
     name: "Detect Terraform Changes"
     runs-on: ubuntu-latest

.github/workflows/stage-3-build.yaml

@@ -60,7 +60,7 @@ jobs:
       - name: "Upload artefact 1"
         run: |
           echo "Uploading artefact 1 ..."
-          # TODO: Use either action/cache or action/upload-artifact
+          # Use either action/cache or action/upload-artifact
   artefact-n:
     name: "Artefact n"
     runs-on: ubuntu-latest
@@ -77,4 +77,4 @@ jobs:
       - name: "Upload artefact n"
         run: |
           echo "Uploading artefact n ..."
-          # TODO: Use either action/cache or action/upload-artifact
+          # Use either action/cache or action/upload-artifact

scripts/config/pre-commit.yaml

@@ -63,3 +63,10 @@ repos:
         entry: ./scripts/githooks/check-terraform-docs.sh
         language: script
         pass_filenames: false
+  - repo: local
+    hooks:
+      - id: check-todo-usage
+        name: Check TODO usage
+        entry: /usr/bin/env check=branch ./scripts/githooks/check-todos.sh
+        language: script
+        pass_filenames: false

scripts/githooks/check-todos.sh

@@ -0,0 +1,237 @@
+#!/bin/bash
+
+# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead.
+
+set -euo pipefail
+
+# Pre-commit git hook to scan for secrets hard-coded in the codebase. This is a
+# gitleaks command wrapper. It will run gitleaks natively if it is installed,
+# otherwise it will run it in a Docker container.
+#
+# Usage:
+#   $ [options] ./scan-secrets.sh
+#
+# Options:
+#   check=all                   # check all files in the repository
+#   check=staged-changes        # check only files staged for commit.
+#   check=working-tree-changes  # check modified, unstaged files. This is the default.
+#   check=branch                # check for all changes since branching from $BRANCH_NAME
+#   VERBOSE=true                # Show all the executed commands, default is 'false'
+#
+# Exit codes:
+#   0 - No Todos
+#   1 - Todos found or error encountered
+#   126 - Unknown flag
+
+# ==============================================================================
+
+EXCLUDED_FILES=(
+  ".devcontainer/devcontainer.json"
+  ".tool-versions"
+  "infrastructure/terraform/bin/terraform.sh"
+  "Makefile"
+  "project.code-workspace"
+  "src/jekyll-devcontainer/src/.devcontainer/devcontainer.json"
+)
+
+EXCLUDED_DIRS=(
+  ".git/"
+  ".venv/"
+  "docs/"
+  "node_modules/"
+)
+
+
+# Get files to check based on mode
+function get_files_to_check() {
+  local mode="$1"
+  case "$mode" in
+    staged-changes)
+      git diff --diff-filter=ACMRT --name-only --cached # ACMRT only show files added, copied, modified, renamed or that had their type changed (eg. file → symlink) in this commit. This leaves out deleted files.
+      ;;
+    working-tree-changes)
+      git ls-files --others --exclude-standard && git diff --diff-filter=ACMRT --name-only
+      ;;
+    branch)
+      git diff --diff-filter=ACMRT --name-only ${BRANCH_NAME:-origin/main}
+      ;;
+    all)
+      git ls-files && git ls-files --others --exclude-standard
+      ;;
+    *)
+      echo "Unknown check mode: $mode" >&2
+      exit 126
+      ;;
+  esac
+}
+
+
+function build_exclude_args() {
+  local args=(
+    --exclude=".github/actions/check-todo-usage/action.yaml"
+    --exclude=".github/workflows/stage-1-commit.yaml"
+    --exclude="scripts/config/pre-commit.yaml"
+    --exclude="scripts/githooks/check-todos.sh"
+  ) # Exclude this script and its references by default, as it naturally contains TODOs. Todo todo todo <- see?
+
+  if [ ${#EXCLUDED_DIRS[@]} -gt 0 ]; then
+    for dir in "${EXCLUDED_DIRS[@]}"; do
+      args+=(--exclude-dir="$dir")
+    done
+  fi
+
+  if [ ${#EXCLUDED_FILES[@]} -gt 0 ]; then
+    for file in "${EXCLUDED_FILES[@]}"; do
+      args+=(--exclude="$file")
+    done
+  fi
+  echo "${args[@]}"
+}
+
+
+function search_todos() {
+  local mode="$1"
+  shift # Shift positional parameters so $@ contains only exclude_args
+  local exclude_args=("$@")
+  local todos=""
+
+  local files
+  files=$(get_files_to_check "$mode")
+  # flatten files to unique list
+  files=$(echo "$files" | tr ' ' '\n' | sort -u)
+
+  for file in $files; do
+    skip=false
+
+    # Check if the file matches any exclude patterns
+    # Exclude files based on provided arguments and predefined directories
+    for ex in "${exclude_args[@]}"; do
+      if [[ "$ex" == --exclude* ]]; then
+        pattern=${ex#--exclude=}
+        [[ "$file" == $pattern ]] && skip=true && break
+      fi
+    done
+
+    # Check if the file is in any of the excluded directories
+    for exdir in "${EXCLUDED_DIRS[@]}"; do
+      [[ "$file" == $exdir* ]] && skip=true && break
+    done
+
+    # If the file is excluded, skip it
+    if [ "$skip" = false ] && [ -f "$file" ]; then
+      file_todos=$(grep -nHi TODO "$file" || true)
+      [ -n "$file_todos" ] && todos+="$file_todos\n"
+    fi
+  done
+
+  echo -e "$todos"
+}
+
+
+function filter_todos_with_valid_jira_ticket() {
+  local todos="$1"
+  local jira_regex="[A-Z][A-Z0-9]+-[0-9]+"
+  local todos_without_ticket=""
+
+  while IFS= read -r line; do
+    # Only lines with TODO but without a valid JIRA ticket
+    if grep -qi 'TODO' <<< "$line"; then
+      if ! [[ "$line" =~ $jira_regex ]]; then
+        todos_without_ticket+="$line\n"
+      fi
+    fi
+  done <<< "$(echo -e "$todos")"
+
+  # Output only TODOs without a valid JIRA ticket
+  echo -e "$todos_without_ticket"
+}
+
+
+function print_output() {
+  local todos="$1"
+  local exclude_args="$2"
+  local todo_count=$(line_count "$todos")
+
+  echo "TODO Check Configuration:"
+  echo "========================================="
+  echo "  Check Mode: ${check:-working-tree-changes}"
+  echo "  Total TODOs found: $todo_count"
+
+  if [ ${#EXCLUDED_DIRS[@]} -gt 0 ]; then
+    echo "  Excluded Directories: ${EXCLUDED_DIRS[*]}"
+  else
+    echo "  Excluded Directories: (none)"
+  fi
+
+  if [ ${#EXCLUDED_FILES[@]} -gt 0 ]; then
+    echo "  Excluded Files: ${EXCLUDED_FILES[*]}"
+  else
+    echo "  Excluded Files: (none)"
+  fi
+
+  if is-arg-true "${VERBOSE:-false}"; then
+    echo "Grep Exclude Args: $exclude_args"
+  fi
+
+  echo -e "\n========================================="
+  echo "All TODOs found: $todo_count"
+  echo "========================================="
+
+  if [ "$todo_count" -gt 0 ]; then
+    echo "$todos"
+  else
+    echo "No TODOs found."
+  fi
+
+  local results=$(filter_todos_with_valid_jira_ticket "$todos")
+  local results_count=$(line_count "$results")
+
+  echo -e "\n========================================="
+  echo "TODOs without a Jira ticket: $results_count"
+  echo "========================================="
+
+  if [ "$results_count" -gt 0 ]; then
+    echo "$results"
+    exit 1
+  else
+      echo "No TODOs found without a Jira reference."
+  fi
+}
+
+
+function main() {
+  cd "$(git rev-parse --show-toplevel)"
+
+  local check_mode="${check:-working-tree-changes}"
+  local exclude_args=$(build_exclude_args)
+  local todos=$(search_todos "$check_mode" $exclude_args)
+  print_output "$todos" "$exclude_args"
+}
+
+# ==============================================================================
+
+# Count non-empty lines in a string
+function line_count() {
+  local input="$1"
+  if [ -n "$input" ]; then
+    echo -e "$input" | wc -l
+  else
+    echo 0
+  fi
+}
+
+function is-arg-true() {
+  if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
+    return 0
+  else
+    return 1
+  fi
+}
+
+# ==============================================================================
+
+is-arg-true "${VERBOSE:-false}" && set -x
+
+main "$@"
+
+exit 0